MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 140653704128a6aa88f80e80b387e87892367b26da00e392e9ccf181bb48408b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 140653704128a6aa88f80e80b387e87892367b26da00e392e9ccf181bb48408b
SHA3-384 hash: 93cb8dfcc6406ed664a31a2449960a88187845f10a9c42451fd6858630e3fd7f28bbd437a7faf4be4f87ebfa9950a27a
SHA1 hash: ee16c11d8459d965f7221255c6f1c677f0eb996c
MD5 hash: 1dca0b304ba53a4a788814e90fe23306
humanhash: glucose-harry-gee-july
File name:1dca0b304ba53a4a788814e90fe23306.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'554'096 bytes
First seen:2023-10-27 06:20:21 UTC
Last seen:2023-10-27 06:38:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8aadc1e04127fccdb3e29df493f299ba (1 x RedLineStealer)
ssdeep 49152:k+6SyoUT3GiZ5cl6sJWJTLc4YFkIQSfmlilQEjolBCwJaZ:kTYsGiZ5cl6swcl9QSfWzgKC5Z
Threatray 643 similar samples on MalwareBazaar
TLSH T16DC5D05336D44061FEA5327CA7930AC60DF33E82E6B489F925BBBC066B735917638631
TrID 35.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
32.8% (.SCR) Windows screen saver (13097/50/3)
11.2% (.EXE) Win32 Executable (generic) (4505/5/1)
5.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 74e0dcdcdcccccd4 (4 x RedLineStealer, 2 x Quakbot)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
212.113.116.63:47534

Intelligence

File Origin
# of uploads :
2
# of downloads :
349
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://mega.nz/file/3vhgkbgK#_oM2IXY9Zo23MiDUyUZOY-3nQ2josOK0uBn73AnAwUw
Verdict:
Suspicious activity
Analysis date:
2023-10-24 08:10:38 UTC
Tags:
stealer autoit
Link:
https://app.any.run/tasks/e27ba046-7ad0-4d0f-b559-049b6f3cfd0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456652/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.15470.10101.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
DNS request
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin overlay packed
Link:
https://www.filescan.io/uploads/653b56d134de31f579cc03e8/reports/b35425a5-db83-4d8e-a341-cbb9992823ea/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/140653704128a6aa88f80e80b387e87892367b26da00e392e9ccf181bb48408b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7ce96702-7d04-49ea-aeec-273a4c742613
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1333112
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1333112 Sample: 6k6J83ckey.exe Startdate: 27/10/2023 Architecture: WINDOWS Score: 100 41 QXFpzFzoCnRXSSu.QXFpzFzoCnRXSSu 2->41 55 Snort IDS alert for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 5 other signatures 2->61 10 6k6J83ckey.exe 10 2->10         started        signatures3 process4 file5 39 C:\Users\user\AppData\Local\Temp\38828\Dude, PE32 10->39 dropped 13 cmd.exe 1 10->13         started        process6 signatures7 71 Uses ping.exe to sleep 13->71 73 Drops PE files with a suspicious file extension 13->73 75 Uses ping.exe to check the status of other devices and networks 13->75 16 cmd.exe 1 13->16         started        19 conhost.exe 13->19         started        process8 signatures9 45 Uses ping.exe to sleep 16->45 21 Anymore.pif 1 16->21         started        25 cmd.exe 2 16->25         started        27 cmd.exe 2 16->27         started        29 4 other processes 16->29 process10 file11 35 C:\Users\user\AppData\Local\Temp\...\jsc.exe, PE32 21->35 dropped 63 Found API chain indicative of debugger detection 21->63 65 Found API chain indicative of sandbox detection 21->65 67 Writes to foreign memory regions 21->67 69 2 other signatures 21->69 31 jsc.exe 5 21->31         started        37 C:\Users\user\AppData\Local\...\Anymore.pif, PE32 25->37 dropped signatures12 process13 dnsIp14 43 212.113.116.63, 47534, 49739 ASRELCOMSPBRU Russian Federation 31->43 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->47 49 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->49 51 Tries to harvest and steal browser information (history, passwords, etc) 31->51 53 Tries to steal Crypto Currency Wallets 31->53 signatures15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/140653704128a6aa88f80e80b387e87892367b26da00e392e9ccf181bb48408b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/140653704128a6aa88f80e80b387e87892367b26da00e392e9ccf181bb48408b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-23 13:48:40 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqdfg4cbfctkvchyb2alhb7ipcjdm6zg3iaohexjztyydo2iicfq._file
Verdict:
malicious
Similar samples:
315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86
RedLineStealer
9908463593e6a22247db288d2966051a140a36fc712d5b546a3112ebba6b0483
RedLineStealer
a567c1f01f6bed6d88712149472f5262d2ddc14aa4d6c1b0544e81dd0929931f
RedLineStealer
b4b8d49ce8ac2c756f6d65399e71a15fc46814f4aee055bcc99cbb7d1d50cd88
RedLineStealer
c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23
RedLineStealer
c8c29747de0e8294d559a19e183e9ad6fd4c738a6e99bbf2f46f8dc1a3b7d05b
RedLineStealer
c9ff159b826661ea2361ee7a5ddb7fe27c036e9906f93cc302e4ed8851f4fffa
RedLineStealer
+ 633 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/231027-g4bhrscf6s/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
8dce1541e56afd729b3b8c06d7d86a4d1b5581e8222fc7f2de4f536daa99fc78
MD5 hash:
5c4ae30bbe50c5698060d82c0d250d14
SHA1 hash:
bebd64cd0d283269978fabfedcde38cf467741e9
Link:
https://www.unpac.me/results/60cfc90b-f7a6-4bf5-b2e2-e40a43f8f5b5/
SH256 hash:
140653704128a6aa88f80e80b387e87892367b26da00e392e9ccf181bb48408b
MD5 hash:
1dca0b304ba53a4a788814e90fe23306
SHA1 hash:
ee16c11d8459d965f7221255c6f1c677f0eb996c
Link:
https://www.unpac.me/results/60cfc90b-f7a6-4bf5-b2e2-e40a43f8f5b5/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/456652/

Comments